Securing Your Linux Server with Fail2ban and FirewallD

As more and more servers are deployed online, it's becoming increasingly important to secure them against malicious attacks. In this article, we'll look at two tools that can help you secure your Linux server: Fail2ban and FirewallD.

Fail2ban is an open-source intrusion prevention software framework that can scan log files and automatically ban IP addresses that show malicious behavior. FirewallD is a firewall management tool that allows you to set up and manage firewall rules on your Linux server.

By combining these two powerful tools, we can create a simple yet robust security system for our Linux server.

Installing Fail2ban

Before we can begin using Fail2ban, we need to install it on our Linux server. Most modern Linux distributions have Fail2ban available in their package repositories, so we can install it using our distribution's package manager.

For example, on Ubuntu and Debian, we can install Fail2ban using the following command:

sudo apt-get install fail2ban

On CentOS and Fedora, we can install Fail2ban using the following command:

sudo yum install fail2ban

Once installed, we can start the Fail2ban service using the following command:

sudo systemctl start fail2ban

Configuring Fail2ban

Now that we have Fail2ban installed, we need to configure it to monitor our server's log files and ban malicious IP addresses.

Fail2ban's configuration files are located in the /etc/fail2ban directory. The main configuration file is jail.conf, which contains the default configuration for Fail2ban's jails.

A jail is simply a set of rules that Fail2ban uses to monitor log files and ban IP addresses. By default, Fail2ban comes with several predefined jails for services like SSH, Apache, and Postfix.

To configure a jail, we need to create a new configuration file in the /etc/fail2ban/jail.d directory. For example, to configure a jail for SSH, we can create a new file called ssh.conf with the following contents:

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
banaction = firewallcmd-ipset

In this example, we've created a new jail called "ssh", which will monitor the /var/log/auth.log file for SSH login attempts. If an IP address fails to log in more than three times, Fail2ban will use the "firewallcmd-ipset" action to ban the IP address using FirewallD.

We can create similar jails for other services on our server, such as Apache or Postfix, by creating new configuration files in the /etc/fail2ban/jail.d directory.

Once we've configured our jails, we need to restart the Fail2ban service using the following command:

sudo systemctl restart fail2ban

Installing FirewallD

Now that we've set up Fail2ban, we need to install and configure FirewallD to work with it.

Most modern Linux distributions come with FirewallD preinstalled, but if not, we can install it using our distribution's package manager.

For example, on Ubuntu and Debian, we can install FirewallD using the following command:

sudo apt-get install firewalld

On CentOS and Fedora, we can install FirewallD using the following command:

sudo yum install firewalld

Once installed, we can start the FirewallD service using the following command:

sudo systemctl start firewalld

Configuring FirewallD

Now that we have FirewallD installed, we need to configure it to work with Fail2ban.

FirewallD's configuration files are located in the /etc/firewalld directory. The main configuration file is firewalld.conf, which contains the default configuration for FirewallD.

To configure FirewallD, we need to create a new zone for Fail2ban to use. A zone is simply a set of firewall rules that apply to a specific network zone, such as "public" or "private".

To create a new zone for Fail2ban, we can use the following command:

sudo firewall-cmd --permanent --new-zone=fail2ban

This will create a new zone called "fail2ban".

Next, we need to add a rule to the "fail2ban" zone that will block incoming traffic from banned IP addresses. We can do this using the following command:

sudo firewall-cmd --permanent --zone=fail2ban --add-rich-rule='rule family="ipv4" source NOT address="127.0.0.1/8" service name="ssh" drop'

This will add a rule to the "fail2ban" zone that will drop incoming traffic to the SSH service from any IP address that is not 127.0.0.1.

We can create similar rules for other services on our server, such as Apache or Postfix, by changing the "service" option in the above command.

Once we've created our rules, we need to reload the FirewallD service using the following command:

sudo firewall-cmd --reload

Conclusion

By combining Fail2ban and FirewallD, we can create a simple yet robust security system for our Linux server. Fail2ban will monitor our server's log files and ban malicious IP addresses, while FirewallD will block incoming traffic from those banned IP addresses.

This system is easy to set up and maintain, and it can help prevent many common types of attacks on our server.